[Fwd: Re: X-windows security in Gnome]

Gregory Leblanc gleblanc at linuxweasel.com
Sat May 18 07:32:59 EST 2002


On Fri, 2002-05-17 at 14:13, Nicolas.Williams at ubsw.com wrote:
> The "integration" of SSH with apps is already there.

I'm fully aware of the ability of OpenSSH to tunnel X11 connections, as
is Jim (per his message).  Jim was saying that there was a potential to
do more, or cleaner, integration between X applications and SSH.  I'm
not familiar enough with either SSH or the X Window System to know
exactly where that integration could be done, or how the existing
integration could be "cleaner".
	Greg

P.S.  Is my signature not explicit enough?  I don't need to receive
multiple copies, one to the list is plenty, thanks.

> Read the OpenSSH [or other SSH implementation's] man pages and the SSHv2 specs. RTFM!
> 
> Essentially SSH supports tunneling of X11 traffic. The SSH daemon is responsible for creating a local X11 display endpoint and setting the DISPLAY environment variable appropriately, then the apps you run in SSH sessions with X11 forwarding do the right thing and open a display which is really the SSH daemon and which proxies back-and-forth to the SSH client, which then proxies back and forth to its DISPLAY.
> 
> Oh, and, yes, there are patches for doing Kerberos authentication in SSHv2 with OpenSSH. So yes, SSHv2 w/ X11 forwarding and w/ GSS (w/ Kerberos) key exchange / userauth is a decent approximation of kerberized X11 - it's better even, since one need not forward or proxy any tickets to make the SSH approach work, but one does have to forward or proxy tickets to make the kerberized X11 approach work. And SSH can compress SSH traffic too.
> 
> Cheers,
> 
> Nico
> --  
> 
> > -----Original Message-----
> > From: Gregory Leblanc [mailto:gleblanc at linuxweasel.com]
> > Sent: Friday, May 17, 2002 4:59 PM
> > To: OpenSSH Devel List
> > Subject: [Fwd: Re: X-windows security in Gnome]
> > 
> > 
> > This is from a security discussion on one of the GNOME lists.  Jim is
> > one of the original X11 people, for what that's worth.  I just thought
> > I'd try to tempt some folks here into looking at doing ssh and X
> > integration "right".  
> > 	Greg
> > 
> > -- 
> > Portland, Oregon, USA.
> > Please don't copy me on replies to the list.
> > 

-- 
Portland, Oregon, USA.
Please don't copy me on replies to the list.




More information about the openssh-unix-dev mailing list